Mobile credentials
Magnus Nystrom <magnus@rsasecurity.com> Wed, 15 March 2000 14:14 UTC
Received: from ns.secondary.com (ns.secondary.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA07530 for <pkix-archive@odin.ietf.org>; Wed, 15 Mar 2000 09:14:11 -0500 (EST)
Received: from localhost (daemon@localhost) by ns.secondary.com (8.9.3/8.9.3) with SMTP id GAA03408; Wed, 15 Mar 2000 06:12:46 -0800 (PST)
Received: by mail.imc.org (bulk_mailer v1.12); Wed, 15 Mar 2000 06:12:40 -0800
Received: from karon.dynas.se (karon.dynas.se [192.71.43.4]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id GAA03377 for <ietf-pkix@imc.org>; Wed, 15 Mar 2000 06:12:38 -0800 (PST)
Received: (qmail 52193 invoked from network); 15 Mar 2000 14:13:54 -0000
Received: from spirit.sto.dynas.se (HELO spirit.dynas.se) (172.16.1.10) by karon.sto.dynas.se with SMTP; 15 Mar 2000 14:13:54 -0000
Received: (qmail 5870 invoked by uid 1183); 15 Mar 2000 14:13:53 -0000
Date: Wed, 15 Mar 2000 15:13:51 +0100
From: Magnus Nystrom <magnus@rsasecurity.com>
X-Sender: magnus@spirit.dynas.se
Reply-To: magnus@dynas.se
To: ietf-pkix@imc.org
Subject: Mobile credentials
Message-ID: <Pine.GSO.4.05.10003151511010.5321-100000@spirit.dynas.se>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from QUOTED-PRINTABLE to 8bit by ns.secondary.com id GAA03378
Precedence: bulk
List-Archive: http://www.imc.org/ietf-pkix/mail-archive/
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: mailto:ietf-pkix-request@imc.org?body=unsubscribe
Content-Transfer-Encoding: 8bit
All, Please find attached to this email a memo discussing the use of and potential need for a PDU format and associated protocol for down- (and potentiall up-) load of personal credentials, such as private keys and X.509 certificates. Stephen Farrell of Baltimore is likely to give a presentation on this subject at the upcoming IETF meeting in Adelaide. We are currently unsure of whether this would be a work item for PKIX or for some BOF (or at all), but at least it seems as if this mailing list would be a good starting point. Comments are of course welcome and solicited. Thanks, -- Magnus & Stephen Magnus Nyström, RSA Laboratories Stephen Farrell, Baltimore Technologies --------------------------------------------------- Mobile credentials 1 Introduction As the number, and more particularly the number of different types, of devices, (particularly wirless), connecting to the Internet increases, the issue of credential mobility becomes an issue for IETF standardization. This note presents some background and existing work on the topic and recommends pursuing this topic in either the PKIX WG or a BOF. 2 Mobile Credentials 2.1 Background A nice feature of smart-card based PKIs, in addition to the security offered by the cards themselves, is the "free-seating solution," or the portability of user's credentials. In order to provide a similar solution to environments based on purely software implementations or "virtual cards" (a.k.a "soft tokens," software files containing information normally stored on smart cards) some kind of credential store from which users can download their soft-tokens, using some specified protocol is required. This protocol will provide mobility for credentials. Such a solution would also allow users to have identical credentials on, e.g. their mobile phone as in their desktop. Adding an upload protocol to the solution means that it in principle is possible to always have the credential store up-to-date. If a specification for a smart card application also specifies how to store the application's data in a single software file, then it will be possible to use this file format as a "virtual card" or "soft token". Soft tokens can be used, e.g., for transfer of information for later storage on a real card, or for use within a token-aware system not using "real" tokens such as smart cards. An advantage of having the soft token format similar to the "real" token format is that the "format" layer in the software does not have to know if it is dealing with a real token or not. Further, if the soft token format is well known, it will in principle be possible to download such a token from a "credential server". By doing this one would in principle accommodate what generally is known as the "free seating solution" - users will be able to use a single set of credentials regardless of where they happen to work. Even in some cases where real smart cards are used, there may be some benefit to using such a protocol - e.g. when a new card is received, but "old" credentials should be used. If the cards offered the appropriate install and delete interfaces, then the credentials could be (securely) moved between cards. Many desktop applications also require mobility of credentials, for example to support some "kiosk" style operation, when a user upgrades a PC, or when "hot-desking". It is sometimes required to integrate such credential mobility with single-sign-on solutions. A protocol that could be used in the smart card case, can also be used to solve this case. Finally, some applications may benefit from being able to migrate credentials from a desktop to a smart card, in particular where the smart card using device has limited user interface capabililies, e.g. a mobile phone. 2.2 Security Issues Mobile credentials will never be as secure as a "pure" smart card solution. However, reasonable security may be accomplished through some simple means, outlined in the following sections. One should keep in mind, however, that platforms to which credentials are downloaded usually cannot be regarded as tamper-resistant, and it therefore is not too hard to analyze contents of their memories. Further, storage of private keys, even if they are encrypted, on a credential server, will be unacceptable in some environments. 2.2.1 Confidentiality Protection Private information in credentials must be protected by encryption. The key for this encryption can be derived from a password, but can also be something stronger. As an example of a stronger method, one could consider the user authenticating to the credential store using some strong authentication method (not requiring public-key cryptography) and then downloading (over a confidentiality-protected connection) not only the credentials but also (parts of) the key to unlock the card. This way, the key used to protect the credentials will not be derived from the user's password solely. Further, in order to make it harder for a credential store administrator to find out about users' private objects, the key stored at the operator's server may be combined with a user-derived key to form an actual key-encryption key. 2.2.2 Integrity Protection Credentials must be integrity protected, since it would otherwise be possible for an attacker to substitute parts of the credentials (e.g. trusted certificates) with something more advantageous for the attacker. Once again, the key for this integrity-protection may be derived from a user password, but in this case, it could also be the user's own private key (assuming that private objects on the token are decrypted before the integrity check is done). 2.2.3 Down- and Up-load protocols The copy of the credentials stored in the credential store should always be up-to-date, in order to provide for a true free-seating solution. This means that uploads should be performed as soon as changes are made to the user's copy of the credentials. A user could always downloads the credentials from the store when e.g. connecting to the network. If the store is unavailable, e.g. due to a roaming user, a locally cached copy of the credentials may be used. The protocols used must be integrity protected, and a user might be required to do a strong (public-key based) authentication in order to upload credentials. 2.3 Other Issues In addition to the specific issues raised above, the following more generic issues may pose challenges in providing a solution to this problem: - IPR: Some of the useful mechanisms are encumbered - Privacy: Use of a credential store should not decrase the expectations of the user for privacy (e.g. if the credentials are subsequently used for authentication with some protocol that does provide privacy) - Robustness: Credential stores should not unacceptably increase the potential for denial-of-service attacks - Performance: Clients for the putative protocol should not typically have to wait too long for access to credentials - Bootstrapping: The use of, e.g. TLS server authentication, depends on the client having a (set of) trusted root(s) - as the putative protocol may be providing these roots, there may be some hard bootstrapping issues. Finally, we note that whether or not the user authentication, credential protection and specific credential formats should be separated, or should be intertwined, is an open issue. 3 Prior work 3.1 The "inetOrgPerson" object class In [6], an auxiliary object class, "inetOrgPerson," is specified. One attribute defined for use with this object class is "userPKCS12", which is a PKCS #12 [4] PDU, containing personal credentials. 3.2 The "pkcsEntity" object class In [3], another auxiliary object class, "pkcsEntity," is specified. This object class is capable of carrying "userPKCS12" PDUs as well as "pKCS15Token" PDUs. 3.3 Active Directory's "user" object class In [2], an object class "user" is specified, holding, among other attributes a "privateKey" attribute, whose values are encrypted private keys. 4 Possible Specifications needed 4.1 Soft-token up- or down-load protocol This protocol could be made very simple; it could in principle be specified in terms of the current http [1] protocol, using the request-response model specified therein. Credential servers would listen on certain ports for connection requests, perform TLS handshakes and act in accordance with received requests. Some stronger authentication methods may have to be defined for use with http. 4.2 Specification of soft token format The specification should leverage some existing specification. As an example, the current draft of PKCS #15 [5] includes a format for credentials, which could simplify this task, but other solutions are clearly also possible. 5 Discussion and Conclusion Evidently, all the examples from section 3 are based on the use of LDAP-accessible directories as "credential stores." A disadvantage with this is that LDAP, despite its name, can be considered "heavy-weight" in this context, since a very simple protocol for up- and down-loads would suffice. LDAP is clearly to complex for wireless devices such as current mobile phones. The solution in Section 3.3 above also suffers from the use of non-standard attributes. The conclusion is therefore, that while the work mentioned in sections 3.1 - 3.3 is useful and provides a basic framework, it does not quite fullfil our needs of a simple protocol and a standardized format for personal credentials. In summary, this topic appears to be suited for consideration in the PKIX WG, or, perhaps more likely, for a more BOF on the topic; followed by standardization of a credential mobility protocol and (set of) credential format(s). 5 References [1] "R. Fielding, J. Gettys, J. Mogul,, H. Frysyk, L. Masinter, P. Leach, T. Berners-Lee, "Hypertext Transfer Protocol -- HTTP/1.1", IETF RFC 2616, June 1999. [2] "Microsoft Windows NT Active Directory Technical Summary," Microsoft Corp., September 1997. [3] "PKCS #9 v2.0: Selected object classes and attribute types," RSA Laboratories, February 2000. [4] "PKCS #12 v1.0: Personal Information Exchange Syntax," RSA Laboratories, June 1999. [5] "PKCS #15 v1.1 (Draft): Cryptographic Token Information Syntax Standard," RSA Laboratories, December 1999. [6] M. Smith, "Definition of the inetOrgPerson LDAP Object Class," IETF work in progress, January 2000
- Mobile credentials Magnus Nystrom